Security Tomorrow, Today: Cybersecurity Updates from DARPA: June 2025 COGR Meeting

The document summarizes a June 2025 briefing presented COGR by Jesse Watkins, Deputy Director of the Security and Intelligence Directorate at DARPA, and Kris West, Director of Research Ethics & Compliance at COGR. The presentation focuses on the evolving landscape of cybersecurity requirements for academic institutions, particularly those handling Controlled Unclassified Information (CUI) in partnership with federal agencies such as DARPA. It highlights the regulatory frameworks governing cybersecurity, notably NIST SP 800-171 Rev 3 and the Cybersecurity Maturity Model Certification (CMMC), detailing the tiered compliance obligations and assessment protocols required for institutions processing U.S. government data. Special emphasis is placed on the challenges unique to the higher education and research sectors, including limited cybersecurity resources and budgets, complex regulatory requirements, the pace of technological innovation, and the need to balance collaboration with robust security. The briefing also addresses emergent issues related to specialized research areas—such as biotechnology, quantum computing, and clinical research—and the management of sensitive data types under additional legal or regulatory regimes (e.g., PHI, ITAR). Solutions recommended by NIST include the development of targeted cybersecurity resources, enhanced inter-institutional and federal collaboration, tailored training, and guidance on the adoption and integration of relevant frameworks. An extensive Q&A session clarifies DARPA’s current stance on the scope and application of these standards, indicating that while implementation of certain NIST standards is not universally mandated for academic institutions, evolving program requirements and risk assessments may necessitate heightened protections. The document further outlines updates related to risk-based security reviews and the operationalization of new compliance decision matrices, including more frequent updates to restricted party lists and clarifications regarding disclosures and international collaborations. In conclusion, the content underscores the increasing complexity and critical importance of cybersecurity in federally funded research, the ongoing efforts to provide practical compliance pathways, and the necessity for close cooperation between federal agencies and academic institutions.